document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-13 22:30:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

[Translated] 20141014 Linux FAQs with Answers--How to detect and patch Shellshock vulnerability in bash.md

Browse Source
This commit is contained in:
GOLinux 2014-10-17 09:00:24 +08:00
parent 37841e1aa2
commit e024c326b7
2 changed files with 75 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
sources/tech/20141014 Linux FAQs with Answers--How to detect and patch Shellshock vulnerability in bash.md
View File

@ -1,76 +0,0 @@
Translating by GOLinux!
Linux FAQs with Answers--How to detect and patch Shellshock vulnerability in bash
================================================================================
> **Question**: I would like to know how to test whether or not my Linux server is vulnerable to bash Shellshock bug, and how to protect my Linux server against the Shellshock exploit.
On September 24, 2014, a bash vulnerability nicknamed "Shellshock" (aka "Bashdoor" or "Bash bug") was discovered by a security researcher named Stephane Chazelas. This flaw, if exploited, allows a remote attacker to run arbitrary code by exporting function definitions inside specially crafted environment variables before calling the shell. Then the code inside these functions can get executed as soon as bash is invoked.
Note that Shellshock affects bash versions 1.14 through 4.3 (current), and although at the time of this writing no definitive and complete fix for this vulnerability has been found, and major Linux distributors ([Debian][1], [Red Hat][2], [CentOS][3], [Ubuntu][4], and [Novell/Suse][5]) have released patches that address the bugs related to it ([CVE-2014-6271][6] and [CVE-2014-7169][7]), and recommended updating bash as soon as possible, and continuing to check for updates over the next several days:
### Test for Shellshock Bug ###
To check if your Linux system is vulnerable to Shellshock bug, type the following command in a terminal.
$ env x='() { :;}; echo "Your bash version is vulnerable"' bash -c "echo This is a test"
上面代码中echo "Your bash version is vulnerable"一句在发布时刷成红色)
If your Linux system is exposed to Shellshock exploit, the output of the command will be:
Your bash version is vulnerable
This is a test
In the above command, an environment variable called x is made available to the user environment. It does not contain a value as we know it (but a dummy function definition) followed by an arbitrary command (in red)red这个词在发布时刷成红色, which will be executed before bash is called later on.
### Apply Fix for Shellshock Bug ###
You can install the newly released patch for bash as follows.
On Debian and derivatives:
# aptitude update && aptitude safe-upgrade bash
On Red Hat-based distributions:
# yum update bash
#### Before patch: ####
Debian:
![](https://farm4.staticflickr.com/3903/15342893796_0c3c61aa33_z.jpg)
CentOS:
![](https://farm3.staticflickr.com/2949/15362738261_99fa409e8b_z.jpg)
#### After patch: ####
Debian:
![](https://farm3.staticflickr.com/2944/15179388727_bdb8a09d62_z.jpg)
CentOS:
![](https://farm4.staticflickr.com/3884/15179149029_3219ce56ea_z.jpg)
Note that the version has not changed in each chosen distribution before and after installing the patch - but you can verify that it has been installed by observing the behavior of the update commands (most likely you will be asked beforehand in order to confirm the installation).
If for some reason you can't install the patch, or if your distribution has not yet released one, it is recommended to use another shell until a fix comes up.
--------------------------------------------------------------------------------
via: http://ask.xmodulo.com/detect-patch-shellshock-vulnerability-bash.html
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:https://www.debian.org/security/2014/dsa-3032
[2]:https://access.redhat.com/articles/1200223
[3]:http://centosnow.blogspot.com.ar/2014/09/critical-bash-updates-for-centos-5.html
[4]:http://www.ubuntu.com/usn/usn-2362-1/
[5]:http://support.novell.com/security/cve/CVE-2014-6271.html
[6]:http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
[7]:http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169

75
translated/tech/20141014 Linux FAQs with Answers--How to detect and patch Shellshock vulnerability in bash.md Normal file
View File

@ -0,0 +1,75 @@
Linux有问必答——如何检测并修复bash中的破壳漏洞
================================================================================
> **问题**我想要知道我的Linux服务器是否存在bash破壳漏洞以及如何来保护我的Linux服务器不受破壳漏洞侵袭。
2014年9月24日一位名叫斯特凡·沙泽拉的安全研究者发现了一个名为“破壳”也称为“bash门”或“Bash漏洞”的bash漏洞。该漏洞如果被渗透远程攻击者就可以在调用shell前通过在特别精心编制的环境中输出函数定义执行任何程序代码。然后这些函数内的代码就可以在调用bash时立即执行。
注意破壳漏洞影响到bash版本1.14到4.3当前版本。虽然在写本文时还没有该漏洞权威而完整的修复方案也尽管主要的Linux发行版[Debian][1][Red Hat][2][CentOS][3][Ubuntu][4]和 [Novell/Suse][5])已经发布了用于解决与此漏洞相关的补丁([CVE-2014-6271][6]和[CVE-2014-7169][7]并且建议尽快更新bash并在随后数日内检查更新
### 检测破壳漏洞 ###
要检查你的Linux系统是否存在破壳漏洞请在终端中输入以下命令。
$ env x='() { :;}; echo "Your bash version is vulnerable"' bash -c "echo This is a test"
上面代码中echo "Your bash version is vulnerable"一句在发布时刷成红色)
如果你的Linux系统已经暴露给了破壳漏洞渗透命令输出会像这样
Your bash version is vulnerable
This is a test
在上面的命令中一个名为x的环境变量已经被设置可用于用户环境。就如我们所了解到的它并没有赋值是一个虚函数定义后面跟了一个任意命令红色red这个词在发布时刷成红色该命令将在bash调用前执行。
### 为破壳漏洞应用修复 ###
你可以按照以下方法安装新发布的bash补丁。
在Debian及其衍生版上
# aptitude update && aptitude safe-upgrade bash
在基于Red Hat的发行版上
# yum update bash
#### 打补丁之前: ####
Debian
![](https://farm4.staticflickr.com/3903/15342893796_0c3c61aa33_z.jpg)
CentOS
![](https://farm3.staticflickr.com/2949/15362738261_99fa409e8b_z.jpg)
#### 打补丁之后: ####
Debian:
![](https://farm3.staticflickr.com/2944/15179388727_bdb8a09d62_z.jpg)
CentOS:
![](https://farm4.staticflickr.com/3884/15179149029_3219ce56ea_z.jpg)
注意在安装补丁前后各个发行版中的bash版本没有发生变化——但是你可以通过从更新命令的运行过程中看到该补丁已经被安装很可能在安装前需要你确认
如果处于某种原因你不能安装该补丁或者针对你的发行版的补丁还没有发布那么建议你先试用另外一个shell直到修复补丁出现。
--------------------------------------------------------------------------------
via: http://ask.xmodulo.com/detect-patch-shellshock-vulnerability-bash.html
译者:[GOLinux](https://github.com/GOLinux)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:https://www.debian.org/security/2014/dsa-3032
[2]:https://access.redhat.com/articles/1200223
[3]:http://centosnow.blogspot.com.ar/2014/09/critical-bash-updates-for-centos-5.html
[4]:http://www.ubuntu.com/usn/usn-2362-1/
[5]:http://support.novell.com/security/cve/CVE-2014-6271.html
[6]:http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
[7]:http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169